X500Standard.com

Work Item overview

At the ITU-T Study Group 17 meeting 29 August - 7 September 2012 two new work items were proposed to initiate work on the deployment of Public-Key Infrastructure within different environments. This work item is common for Question 11, Generic technologies to support secure applications and Question 10, Identity management architecture and mechanisms with Question 11 as the leading question.

The two new work items texts are:

• ITU-T NWI on Public-Key Infrastructure: Profile;
• ITU-T NWI on Public-Key Infrastructure: Establishment and maintenance.

Reasons for profiling PKI

PKI is a powerful tool that can be used to provide secure authentication and authorization for security association (SA) and key establishment. However, PKI can be difficult to deploy and operate. This is primarily because PKI standards (such as X.509 and IETF RFC 5280) only provide a high level framework for digital certificate usage and for implementing a PKI. They provide a mechanism for defining naming conventions, certificate constraints, and certificate policies, but they do not specify how these should be used.

These standards rightfully leave the specification of these details, also called profiling, to be outlines for the particular type of deployment of PKI. Some industries (such as the financial services industry) have standardized a model PKI policy. The purpose of a profile is to define the naming conventions, constraints, policies, and many operational aspects of a PKI for a particular environment.

The profiling of Public-Key Infrastructure has so far typically been done by industry groups or similar organisations for particular purposes, such as:

• CA/Browser Forum;
• ETSI Electronic Signatures and Infrastructure; and
• IETF The Public-Key Infrastructure (X.509) (PKIX).

The first two groups are primarily profiling the Rec. ITU-T X.509 for particular purposes, while PKIX in addition is a standard making body.

Some traditional standards organisations, like ITU-T, IEC and IEC are also attempting to develop some kind of PKI profiling as addition to their standardisation process, for example:

• ITU-T Study Group 13 has developed some security specifications for Next Generation Network (NGN) that includes PKI aspects. See for example Rec. ITU-T Y.2704.
• IEC TC57 Working Group 15 is in the process of specifying use of public-key certificate, etc. to define how to apply PKI in the Smart Grid environment. See IEC/TS 62351-9, Key Management.
• ISO/TC 68 (Banking) has developed ISO 21188:2006, Public key infrastructure for financial services -- Practices and policy framework, which sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry.
• ISO/TC 215 (Health informatics) has developed a three part standard ISO 17090-x:2008 with the common title: Health informatics -- Public key infrastructure.

There probably many other examples of fragmented PKI profiles like work completed or in progress. A more coordinated approach seems necessary.

Potential areas for PKI standardisation:

• General considerations for a so-called machine-to-machine (M2M) environment.
• Smart Grid is an area of immediate concern, as a cyber attack on Smart Grid can have very unpleasant consequences. The smart Grid issue is described in more details in the section on Smart Grid and PKI. In particular, the relevance of such an activity is outlined in Why profiling is relevant.
• Cloud computing is an area, where PKI will play a major role. The more specific PKI issues related to Cloud Computing still need to be developed.
• Wireless PKI is a possible new area. A liaison statement from ITU-D Study Group 2 asks for ITU-T Study Group 17 assistance for developing Wireless PKI (WPKI) support. What requirements that are specific to WPKI still need to be identified.

PKI profiles

The PKI profiling work should cover items like:

• Public-key certificate content:
  • serial number generation;
  • rules for subject name structure;
  • rules for verification of subject name;
  • rules for issuer name structure;
  • rules for verification of issuer name;
  • selection of signature algorithm for signing of the public-key certificate;
  • recommendations for validity period;
  • permitted and/or required extensions;
  • encoding of extensions;
  • certificate policy;
• rules for trust anchor information;
• maximum certification path length;
• key pair generation for end-entity certificates;
• key pair generation for trust anchor;
• revocation of public-key certificates;
• revocation checking.

The requirements as indicated above may be different for different environment resulting in multiple profiles. Certain aspects may be common for several profiles.

As the works develops, the document structure will be determined. It may be relevant to have different documents for different environments.

Current liaison activities

At the ITU-T Study Group 17 meeting 29 August - 7 September 2012 two liaison statements were issued as listed below:

• Liaison Statement to ISO/IEC JTC 1/SC 27 on PKI deployment in different environment; and
• Liaison Statement to IEC TC 57/WG15 on PKI deployment within smart grid.

IN addition, liaison should be established with other organisations doing PKI profiling like work.

The PKIX group will be consulted on many detailed issues.